GHSA-cq88-842x-2jhp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cq88-842x-2jhp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-cq88-842x-2jhp/GHSA-cq88-842x-2jhp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cq88-842x-2jhp
- Aliases
- Published
- 2025-04-04T14:09:40Z
- Modified
- 2025-04-09T17:42:02.482719Z
- Severity
-
- 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration
- Details
-
Summary
Due to a weak Content Security Policy on the
/proxy/*route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window.Impact
A malicious feed added to Miniflux can execute arbitrary JavaScript in the user's browser when opening external resources, such as proxified images, in a new tab or window.
Mitigation
The CSP for the media proxy has been changed from
default-src 'self'todefault-src 'none'; form-action 'none'; sandbox;.Upgrade to Miniflux >= 2.2.7
Credit
RyotaK (GMO Flatt Security Inc.) with takumi-san.ai
- Database specific
{ "nvd_published_at": "2025-04-03T18:15:47Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-04-04T14:09:40Z" }- References
Affected packages
Go / miniflux.app/v2
Package
- Name
- miniflux.app/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/miniflux.app/v2